【摘要】：網(wǎng)絡(luò)安全是信息學(xué)中不可分割的組成部分,而木馬的分析和檢測(cè)技術(shù)又是網(wǎng)絡(luò)安全領(lǐng)域的重中之重。如今絕大多數(shù)的計(jì)算機(jī)甚至手機(jī)都安裝了各式各樣的木馬檢測(cè)和查殺軟件。 本文主要針對(duì)Windows系統(tǒng)下的木馬分析和檢測(cè)方法作研究。而在Windows系統(tǒng)下木馬必須以PE文件形式存在,才有可能進(jìn)一步的入侵計(jì)算機(jī)從而達(dá)到非法的目的。通常在木馬檢測(cè)過(guò)程中判斷PE文件是否加殼這一點(diǎn)不可忽視,所以文中對(duì)于PE文件的加殼檢測(cè)方法也作了一系列研究。 文中首先對(duì)國(guó)內(nèi)外木馬檢測(cè)的研究現(xiàn)狀作了詳細(xì)的介紹和分析,提出了木馬檢測(cè)的基本方法,既動(dòng)態(tài)檢測(cè)和靜態(tài)檢測(cè)方法。 其次文中詳細(xì)的介紹了PE文件的組織結(jié)構(gòu),分析方法和區(qū)塊特性。為進(jìn)一步的從PE文件中提取各類有效信息和分類特征做準(zhǔn)備。 接著介紹了一種識(shí)別加殼PE文件的方法,此方法主要基于計(jì)算PE文件特定屬性的明可夫斯基距離。因?yàn)樵谔囟ǖ囊恍⿲傩蕴卣魃霞託E文件與非加殼的PE文件有著顯著的區(qū)別。實(shí)驗(yàn)結(jié)果表明此方法能有效的檢測(cè)加殼PE文件。 最后文中提出了一種基于C5.0決策樹(shù)算法的木馬靜態(tài)檢測(cè)方法,該算法以從PE文件中提取出的各種屬性作為分類特征,并結(jié)合了高效的boosting算法。而對(duì)PE文件首先用PEid軟件進(jìn)行去殼操作,再進(jìn)行進(jìn)一步處理以提高性能指標(biāo)。實(shí)驗(yàn)結(jié)果表明此方法在不少方面都取得了一定的進(jìn)步。
[Abstract]:Network security is an integral part of informatics, and the analysis and detection technology of Trojan horse is the most important in the field of network security. Today, most computers and even mobile phones are equipped with a variety of Trojan detection and kill software. This paper mainly focuses on the analysis and detection methods of Trojan horse under Windows system. In Windows system, the Trojan horse must exist in the form of PE file in order to further invade the computer to achieve the illegal purpose. It can not be ignored to judge whether the PE file is shell or not in the detection process of Trojan horse, so a series of research on the method of shell detection of PE file is also made in this paper. In this paper, the current situation of Trojan horse detection at home and abroad is introduced and analyzed in detail, and the basic method of Trojan horse detection is put forward, that is, dynamic detection and static detection. Secondly, the organization structure, analysis method and block characteristics of PE file are introduced in detail. For the further extraction of all kinds of valid information and classification features from PE files. Then a method to identify the PE file is introduced, which is mainly based on the Minkowski distance of the specific attributes of the PE file. Because there are significant differences between PE files and non-hulled PE files on certain attribute characteristics. Experimental results show that this method can effectively detect PE files. In the end, a method of static Trojan detection based on C5.0 decision tree algorithm is proposed. The algorithm takes various attributes extracted from PE file as classification features and combines efficient boosting algorithm. The PE file is firstly de-hulled with PEid software, and then further processed to improve the performance index. The experimental results show that this method has made some progress in many aspects.
【學(xué)位授予單位】：廣西大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 丁姍;;淺談木馬文件特征碼的定位[J];河南紡織高等專科學(xué)校學(xué)報(bào);2007年02期

2 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)研究與發(fā)展;2011年08期

3 楊平;羅紅;喬向東;;Windows Rootkit隱藏技術(shù)研究[J];計(jì)算機(jī)與信息技術(shù);2009年03期

4 顏會(huì)娟;秦杰;;基于非線性SVM模型的木馬檢測(cè)方法[J];計(jì)算機(jī)工程;2011年08期

5 嵇海明,楊宗源;PE文件格式剖析[J];計(jì)算機(jī)應(yīng)用研究;2004年03期

6 楊彥;黃皓;;基于攻擊樹(shù)的木馬檢測(cè)方法[J];計(jì)算機(jī)工程與設(shè)計(jì);2008年11期

7 張新宇,卿斯?jié)h,馬恒太,張楠,孫淑華,蔣建春;特洛伊木馬隱藏技術(shù)研究[J];通信學(xué)報(bào);2004年07期

8 李軍麗;;特洛伊木馬病毒的隱藏技術(shù)[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2008年01期

9 雷校勇;黃小平;;Windows RootKit技術(shù)原理及防御策略[J];微型電腦應(yīng)用;2006年07期

10 彭國(guó)軍;王泰格;邵玉如;劉夢(mèng)冷;;基于網(wǎng)絡(luò)流量特征的未知木馬檢測(cè)技術(shù)及其實(shí)現(xiàn)[J];信息網(wǎng)絡(luò)安全;2012年10期

，

本文編號(hào)：2142802